- Attackers compromised an OpenAI repository on HuggingFace and distributed a data stealer disguised as a “privacy filter” model.
- The malware disabled SSL checks, escalated privileges, and implemented the sefira payload to steal credentials, crypto wallets and system data
- The fake repository reached 244,000 downloads and briefly topped the HuggingFace rankings before its removal, and other linked malicious repositories were also removed.
Experts warned that cybercriminals were able to counterfeit OpenAI products to distribute information-stealing malware to more than 240,000 computers before being detected and removed.
Security researchers HiddenLayer said they detected a new repository on HuggingFace called Open-OSS/privacy-filter.
The privacy filter repository is, according to HiddenLayer, a typo-pocked version of the official release, which came with a template card that was copied “almost word for word.” The loader.py file that was submitted searches for and executes an information stealer, they added.
Climbing to the top
Before removing the information stealer, the malware first disabled SSL verification, decoded a base64 URL, and downloaded a JSON payload from it with a PowerShell command. This command, in turn, downloaded a batch file that escalated privileges, deployed the ‘sefirah’ payload, added it to the Microsoft Defender exclusion list, and then ran it.
The information thief itself does what most information thieves do: it takes data saved in browsers, extracts discord tokens, local databases and master keys, steals information from cryptocurrency wallets, data from browser extensions, SSH, FTP, VPN credentials, as well as sensitive files stored locally. You can also take screenshots, filter system information, and more.
The download count on the fake repository is huge: 244,000 downloads in just a few days.
However, this does not mean that every download causes an infection. beepcomputerIt says that download numbers may have been inflated and that the repository itself received likes from 667 auto-generated accounts. Still, even if everything was fake, the repository managed to reach the #1 spot on Hugging Face for a brief moment, which definitely could have led to infections.
However, by tracking the fake accounts, HiddenLayer was able to expose other, less successful repositories, which were also malicious and used the same infrastructure. All of these have since been removed from the platform.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
